Snort mailing list archives
RE: Detecting VNC, PCAnywhere etc.
From: "Mark Spieth" <mspieth () shellserve net>
Date: Sun, 5 Aug 2001 17:04:47 -0400
PCAW RULES misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login";flags: A+; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:1;) misc.rules:alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; content:"Invalid login"; offset:5; depth:13; flags:A+; classtype:unsuccessful-user; sid:511; rev:1;) misc.rules:alert tcp $HOME_NET 5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login";flags: A+; content:"Invalid login"; depth: 16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:1;) policy.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"MISC PCAnywhere Startup"; content:"ST"; depth: 2; reference:arachnids,239; classtype:bad-unknown; sid:566; rev:1;) shellserve.ids:alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login";flags: A+; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:1;) shellserve.ids:alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; content:"Invalid login"; offset:5; depth:13; flags:A+; classtype:unsuccessful-user; sid:511; rev:1;) shellserve.ids:alert tcp $HOME_NET 5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login";flags: A+; content:"Invalid login"; depth: 16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:1;) shellserve.ids:alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"MISC PCAnywhere Startup"; content:"ST"; depth: 2; reference:arachnids,239; classtype:bad-unknown; sid:566; rev:1;) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sheahan, Paul (PCLN-NW) Sent: Sunday, August 05, 2001 3:53 PM To: 'Snort-users () lists sourceforge net' Subject: [Snort-users] Detecting VNC, PCAnywhere etc. Hello, A popular method used by hackers after compromising a host on your network is to make some type of connection back out to the Internet to gather tools (usually a FTP, TFTP, VNC, PCAW, Telnet connection etc). I would like to be able to detect this type of attempt. I tried this using a rule to detect when certain destination ports (i.e. 5631 for PCAnywhere) are accessed, but there is one problem with this. Since machines connect to our web site with a random source port (i.e. 5631 which is used by PCAnywhere), our web server replies with that source port as the destination port in message going back. This triggers a false positive when it sees 5631 as the destination port for example. Is anyone out there checking for this type of traffic on their network, and if so, can you recommend a good rule? Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting VNC, PCAnywhere etc. Sheahan, Paul (PCLN-NW) (Aug 05)
- RE: Detecting VNC, PCAnywhere etc. Mark Spieth (Aug 05)